Cross-account role trust policies should trust AWS accounts, not roles https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/ Found this in the context of access control to event carried sensitive data source: Twitter Tags IAMaws